https://git.schokokeks.org/derivepassphrase.git/tree/07abfb9a325939fbb8f06378b1819bbfe0cf171a 2025-08-03T20:07:56+02:00 tag:gitlist.org,2012:commit/07abfb9a325939fbb8f06378b1819bbfe0cf171a 2025-08-03T20:07:56+02:00 Marco Ricci software@the13thletter.info <pre>The script attempts to upload each test key to the running SSH agent, then queries the agent for the signature of the `vault` UUID and computes the derived passphrase. If that works, then it prints the test key, augmented by the new signature and new derived passphrase, in a `repr`-compatible representation that could principally directly be included into the `tests` module. (The real code in the `tests` module basically only differs in whitespace: the hex codes that make up the signatures and the key data are wrapped manually, in a manner that highlights their structure but which is difficult/tedious to produce automatically.) The script has only been tested on UNIX, and because it imports the `tests` module directly, it should be run in a compatible environment, e.g., the `hatch-static-analysis` environment. &lt;/pre&gt; tag:gitlist.org,2012:commit/ea2c3cb5d4ca09932f947922c91baaa906daeb25 2025-08-03T19:59:19+02:00 Marco Ricci software@the13thletter.info <pre>I generated these signatures and derived passphrases against a manually compiled instance of Pageant 0.80. (Because, as already hinted at in d2bb555fd898d63b413b37dc2bd1374d82daeffe, it is somewhat hard to obtain pre-compiled versions of Pageant with a known security hole. It turned out to be much easier to compile Pageant ourselves than to find an unpatched PuTTY distribution.) (These test vectors are not actually in active use yet.) &lt;/pre&gt; tag:gitlist.org,2012:commit/10f92193e28b82f843b2ae027cee89935548e842 2025-08-03T19:35:25+02:00 Marco Ricci software@the13thletter.info <pre>No functional change. But harmonizing the syntax makes it easier to compare machine-generated output with the recorded test vectors for the test keys. &lt;/pre&gt; tag:gitlist.org,2012:commit/27a3cf661d83a37f54ed358893ce24345a349c31 2025-07-27T23:12:36+02:00 Marco Ricci software@the13thletter.info <pre>* test-suite-cleanups: Comment on coverage exclusions, in shorthand Provide more deterministic signatures for the test keys Fix, and test for, the consistency of the SSH test keys Fix some test suite setup mistakes &lt;/pre&gt; tag:gitlist.org,2012:commit/c5c882a238537077279b1ea8ad0076b1d812cc85 2025-07-26T17:35:21+02:00 Marco Ricci software@the13thletter.info <pre>Add shorthand codes for different types of coverage exclusions, explained in `pyproject.toml` in the `tool.coverage` section, because reasons for excluding code branches from coverage tend to fall into a handful of common categories. Also add explicit coverage exclusion patterns for dummy classes which are never intended to actually be called, such as the `_types._Omitted` class (for styling function signatures in the generated documentation) and the two `_DummyModule` classes (which stub out missing dependencies to appease the type checker). A very few coverage exclusions were actually unnecessary or nonsensical, and have been rectified. &lt;/pre&gt; tag:gitlist.org,2012:commit/d2bb555fd898d63b413b37dc2bd1374d82daeffe 2025-07-26T16:45:41+02:00 Marco Ricci software@the13thletter.info <pre>Record and provide more deterministic signatures for the test keys, where feasible. In particular, for DSA and ECDSA keys, support recording the RFC 6979 deterministic DSA signatures, as implemented by Pageant. In particular, this entails that the `expected_signature` and `derived_passphrase` fields of the test keys need to change to accomodate the new shape of the data. For the existing DSA and ECDSA keys, RFC 6979 signatures and expected master passphrases are also provided. Providing the Pageant 0.68–0.80 deterministic signatures and expected master passphrases however is not quite so straight-forward: because the signature class is the subject of CVE-2024-31497, Pageant < 0.81 is considered to have a security hole, and thus it is hard to obtain pre-compiled, unpatched installations of Pageant to compute the signatures/master passphrases against. &lt;/pre&gt; tag:gitlist.org,2012:commit/f567393b7cb50294e801e340e801345c13e5efe1 2025-07-26T11:45:19+02:00 Marco Ricci software@the13thletter.info <pre>A typo existed in the ECDSA NIST P-521 raw public key data, making it incompatible with the copy of the public key included in the raw private key blob. This caused UNIX Pageant (and likely any other SSH agent supporting deterministic DSA signatures, if they exist) to reject unloading and signing with that key, despite actually supporting the key format. So fix the typo, and add tests and machinery to ensure rudimentary consistency of all test key data. &lt;/pre&gt; tag:gitlist.org,2012:commit/ac6134a86e36ec296102dc1311e5616d01bab4f1 2025-07-23T20:13:06+02:00 Marco Ricci software@the13thletter.info <pre>These mistakes were carried over from v0.5, and cause woe on The Annoying OS even before actually running any tests. &lt;/pre&gt; tag:gitlist.org,2012:commit/4300ae11396bf35f969239755553674a42dc0aed 2025-06-26T18:29:58+02:00 Marco Ricci software@the13thletter.info <pre>* release-checklist: Fix more details in the release checklist, after the fact &lt;/pre&gt; tag:gitlist.org,2012:commit/61ebfcab313cfb49878b1f93ff3b53ae1255d48a 2025-06-24T22:28:10+02:00 Marco Ricci software@the13thletter.info <pre>Some details in the publishing of the documentation are slightly off. &lt;/pre&gt;